Thousands of PCs infected with new ransomware variant in China

A new malware variant has been discovered in China; this malicious program has infected over 100k devices in less than a week

Digital forensics specialists from the International Institute of Cyber Security report that a new variant of ransomware is quickly spreading in China. So far, the infection has already reached over 100k computers over the past four days due to a supply chain attack; the number of infected computers keeps growing along the hours.

What keeps attracting the attention of the cybersecurity community is that, unlike other malware variants, this new ransomware does not demand a ransom payment in Bitcoin. Instead, hackers demand victims a payment for 110 yen (about $16 USD), figure that must be transferred through WeChat Pay, a function to perform transactions through the most widely used messaging service in China.

Password theft

So far, the evidence suggests that this malicious program has only affected users in China, unlike similar outbreaks, such as WannaCry or NotPetya. In addition, this malware seems to have an additional password theft feature, for credentials used in services such as Alipay, Taobao, Tmall, AliWangWang and QQ. Apparently the ransomware steals access credentials to these platforms and sends them to a remote server.

According to reports of a China-based digital forensics firm, the operators of this campaign managed to deploy their attack by injecting malicious code into the EasyLanguage programming software, used by most of the app developers in China.

This program modified for malicious purposes was intended to inject the code of the ransomware into each app and software product compiled through EasyLanguage, making the virus spread incredibly quickly.

Over 100k users in China who installed any of the infected developments are now in a compromising situation. This ransomware strain has shown to be able to encrypt all files of the infected system, with the exception of files with gif, exe and tmp extensions.

Stolen digital signatures

To avoid antivirus solutions, hackers signed the malicious code with a seemingly reliable digital signature from Tencent Technologies, and they try not to encrypt files in specific directories, such as Tencent Games, League of Legends, tmp, rtl and program.

According to experts in digital forensics, once the ransomware encrypts the user’s files, a text file appears demanding the user to make the payment of 110 yen to the WeChat account linked to the malicious software. The attackers mention that the user only has a three-day deadline to make the payment and receive the keys to restore their files. If the ransom is not covered in the time marked by the attackers, the program starts an automatic process of deleting the encryption key from a remote server.

According to the collected evidence, the ransom note mentions that the files have been encrypted using the DES encryption algorithm, but in fact, the data is encrypted using an XOR cipher, a much less secure one that stores a copy of the encryption key in the victim’s system in the following location:

%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

A tool to remove encryption is already in development thanks to this information. In addition, after receiving the reports of this attack campaign, WeChat suspended the account in which the attackers were receiving the ransom payment.